Preventing XSS
terrorfall opened this issue · comments
Not sure if I'm missing something obvious here, but how do I prevent XSS?
I've been able to insert a script alert function into the database and I can't see anywhere to add the validator to prevent this.
Line 32 on src/resources/views/usersmanagement/show-user.blade.php
{!! trans('laravelusers::laravelusers.showing-user-title', ['name' => $user->name]) !!}
This should be {{ }} instead of {!! to prevent raw output
Thanks
Looking at the code, there are several places where the code is rendering raw HTML instead of sanitized text. For example, the show-user.blade.php, Line 32 is using:
{!! trans('laravelusers::laravelusers.showing-user-title', ['name' => $user->name]) !!}
but should ideally be:
{{ trans('laravelusers::laravelusers.showing-user-title', ['name' => $user->name]) }}
If $user->name
is not sanitised, it allows XSS issues like <script>alert('XSS');</script>
being outputted on the page. There are a few instances of this issue in the code.
Validators are in the controller.
It’s supposed to render raw HTML and xss is protected by the csfr token.
If you make a or to update the rules I accept it.
Unfortunately, the CSRF token is not protecting against a user entering <script>alert('XSS');</script>
into the "name" field. The blade will output this as a raw script tag allowing code execution.
If the rules are updated I will accept the pr.
Thanks
If I don't see a PR come across this AM I am going to take a closer look at this and its high priority.
Sorry, I'm not using this library. I just discovered this issue in a project while conducting a security review. Depending on the use of the "name" field, the issue can be resolved using rule 'regex:/[a-zA-Z\-\' ]+$/'
or built-in validation rule alpha_dash
.
The regex rule allows any alpha characters as well as dashes, apostrophes and spaces, which should be sufficient for names.
#65 PR submitted, might need further implementation around resource translation strings
Thank you both! Merged in #65
I also added strip_tags
44bee8a